Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSA - Nsc42 - London chapter keynote - cloud transformation security challenges


Published on

Cloud security alliance Annual meeting London -
The presentation covers cloud transformation challenges and patterns to facilitate transformations

Published in: Technology
  • Login to see the comments

  • Be the first to like this

CSA - Nsc42 - London chapter keynote - cloud transformation security challenges

  1. 1. CloudTransformation Challenges For CSA Annual Meetup @FraSEC42 Francesco Cipollone
  2. 2. Our History Helping UK Companies We have been helping UK organization in multiple sectors overcome security challenges since 2013  Development of Cybersecurity Strategies  Audit and assessment of cloud transformation  Architecture support and production of artifacts  DevSecOps support
  3. 3. Disclaimer: the pictures and the format in this presentation are under license to NSC42 Ltd Our Agenda About the author and company Setting the context Regulation Shared Responsibilities Identities and Access controls Patterns Processes review Caveat/Pitfalls Take Away The Challenges Q&A
  4. 4. About the Author 4 Francesco Cipollone Founder – NSC42 LTD Francesco is an accomplished, motivated and versatile Security Professional with several years of experience in the Cyber security landscape. He helps organizations achieve strategic security goals with a driven and pragmatic approach. Francesco is a founder of NSC42 Ltd and previously co-founder of Technet SrL. …he is known to have Impostor syndrome Definition - Impostor syndrome s a psychological pattern in which an individual doubts their accomplishments and has a persistent internalized fear of being exposed as a "fraud". FC-LinkedIn E-Mail Website Articles NSC42 LinkedIn Ultimately security is a hard field and we are supposed to know a lot about a bit of everything the key element is collaboration and sharing knowledge @FraSEC42
  5. 5. Context and challenges 5 Setting the context and challenges: - Management - Disruption and strategy - Security as part of the cloud journey - Skills shortages - Architecture patterns: - don’t reinvent the wheel - don’t take on-premises into the cloud
  6. 6. The Challenges 6 In a cloud transformation, consider the following key elements: - Shared responsibility model - Regulation - Identities and Access management - Different (Security) Patterns Other aspects: - New work methodologies (DevOPS and Microservices ) - Risk management/incident management
  7. 7. Shared Responsibility Model 7 Understand Shared Responsibility model: - Who is responsible for what - Trust level and regulation - Traditional controls vs cloud controls Customer Application & Content Network Security Identity & Access Control Operating System/ Platform Data Encryption The Customer Customer Defines controls security IN Cloud Customer takes care of the security OF Cloud Physical Infrastructure Network Infrastructure Virtualization Layer Cloud platform
  8. 8. Regulation 8 Understand Regulation and how will it impact the transformation: - Not all regulation are up to speed - Hybrid Environment: Roles and responsibilities - Adapt the mandated control to the cloud - Refer to existing patterns/control set (e.g. CSA CCM…) - Refer to cloud based standards (ISO27017/18, CSA CCM…)
  9. 9. Patterns 9 I’d like to discuss some of the pattern that did stand out in recent transformations - Type: Hybrid vs cloud only - Scaffolding - Traditional vs cloud controls - Logging and monitoring - Identity and access management Patterns for the cloud are different from traditional
  10. 10. Pattern – Scaffolding 10 Things to consider: - What works in the cloud provider - Shared services vs production - Access control and MFA - Isolation and RBAC AWSAzure
  11. 11. Pattern – Firewalls and access control 11 Things to consider: - AWS & Azure are different - Adapt patterns - Consider cloud native controls AWSAzure
  12. 12. Pattern – Logging, cascade architecture and Monitoring 12 Things to consider: - Multiple Type: Instance vs Platform - Access to Logs - Cascading architecture - isolation - Automated incident response Prj account Log Central log SOC Dev Test Prod Application Logs
  13. 13. Pattern – Identity and access management 13 Recommendations: • Isolate identity store • Federation • Roles and Access control • API secret vs authentication
  14. 14. Caveats/Pitfalls 14 Cloud transformations can be a treacherous journey especially for security professionals. Watch out for the common pitfalls - Security shall be an enabler not a blocker - Security and other team would require upskilling - Solid foundation enables smooth sailing of cloud projects Cloud is just someone else's PC 
  15. 15. Conclusions 15 Wrapping up, we’ve discussed - Cloud transformations planning - Seek support of management - Consider skill shortage - New Architecture/methodologies Conclusions conslusions conclusions
  16. 16. Take Away 16 Cloud transformations can be a treacherous journey especially for security professionals: - Decisions supported by Strategy - Solid Foundation (Security) - Skill shortage: be prepared to learn - Native cloud controls! Use them - Patterns and arch - Automation
  17. 17. Q&A 17 Question and Answers
  18. 18. Contacts 18 Get in touch: Francesco.cipollone (@) Thank you @FraSEC42